[OpenID] Web of Trust for OP (self-signed) certificates

[SitG Admin]

Let's pretend, for the duration of this post and because it will ease 
my pronouns, that I'm an average user. I have just seen an OpenID of 
"https://anoynprovider.com/myfriend" at two different RP sites (each 
a forum where only authorized users can view posts or see a list of 
members), but I know that the provider uses a self-signed cert, so 
it's possible that one of the sites has been spoofed. I want to 
contact my friend about two posts, one in each forum, which, taken 
together, imply something interesting. I could contact both RP's and 
ask them what cert they had on file for anoynprovider.com, but I'm 
just an average user; I probably don't even know *about* certs 
myself, much less how to examine and compare them. Much more 
convenient would be if I could just make a standardized query to 
either RP, and *they* would compare notes behind the scenes, then let 
me know. I don't want to notify either of them of the fact that my 
friend is using the other RP, though (my friend probably cares deeply 
about privacy, considering the use of anoynprovider.com), so I just 
ask them about anoynprovider.com (which *should* be all the RP's 
need, anyway), and let them make the appropriate guesses based on how 
many users in their system have an OpenID there.

It's not necessary that a web of trust cover everyone, or even that 
it store results. It would just be nice if, the moment that it began 
to matter (when an average user saw the same URI and wondered if it 
really corresponded to the same site), there were a well-known means 
of having the RP's involved consult with one another and confirm that 
they really were talking about the same site.

It shouldn't matter which of the RP's is asked. Sure, either (even 
both!) of them could be *lying* about the user having been there at 
all, but that wouldn't prevent either of them from learning the OP's 
cert and retransmitting this information in case of a request.

-Shade